[SOLVED] Task manager doesn’t work!

February 8th, 2020

I got a spyware on my PC during surfing, the desktop has changed a wallpaper.
When I right click on the taskbar pop-up menu appears, but the option “task manager” is not able to select. And when I press ctrl+alt+del, it says: “Task manager has been disabled by your administrator.”
How can I fix this?
I installed new AVG 8 and scaned whole comp, but it can not find any spyware. I cleanned the registry with CCleaner, too, but task manager still doesn’t work.
Registry editor doesn’t work either. When I: start/run/regedit, it also says: “Registry editing has been disabled by your administrator.”
How can I make “task manager” and “registry editor” works again?
Thanks.
Answer #1
yeah..i got this spyware dude..more specifically malware…
http://www.malwarebytes.org/
this one helped me..i got rid of it
Answer #2
use this
http://files.brothersoft.com/security/anti_virus/RRT.exe
Answer #3
thank you, people, i’ll try these.
Answer #4
Hello. Follow my instructions very carefully
I need a Combofix log to start off

  • Disable your current antivirus or any other guards you might have
  • Download ComboFix from the link below and save it to your Desktop
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

  • Exit all running applications and run ComboFix
  • Agree to it’s terms. Let it install the recovery console etc. It will do a series of scans. Do not click anywhere or do anything till it finishes as it might cause it to stall
  • It might reboot your PC. In any case it will come back with log (a text file)
  • Copy/paste the contents of the log inside a [code] box so I can give further instructions. This step is important

Good luck
Answer #5
yes….i forgot about combofix….
Answer #6
I had the same thing,
Spybot S&D fixed it for me.
But follow ^|^’s instructions for now…
Answer #7
Open a notepad and paste this code. Then save it as abc.vbs
Option Explicit
'Declare variables
Dim WSHShell, n, MyBox, p, t, mustboot, errnum, vers
Dim enab, disab, jobfunc, itemtype
Set WSHShell = WScript.CreateObject("WScript.Shell")
p = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"
p = p & "DisableRegistryTools"
itemtype = "REG_DWORD"
mustboot = "Log off and back on, or restart your pc to" & vbCR & "effect the changes"
enab = "ENABLED"
disab = "DISABLED"
jobfunc = "Registry Editing Tools are now "
'This section tries to read the registry key value. If not present an 'error is generated.  Normal error return should be 0 if value is 'present
t = "Confirmation"
Err.Clear
On Error Resume Next
n = WSHShell.RegRead (p)
On Error Goto 0
errnum = Err.Number
if errnum <> 0 then
'Create the registry key value for DisableRegistryTools with value 0
   WSHShell.RegWrite p, 0, itemtype
End If
'If the key is present, or was created, it is toggled
'Confirmations can be disabled by commenting out 'the two MyBox lines below
If n = 0 Then
   n = 1
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & disab & vbCR & mustboot, 4096, t)
ElseIf n = 1 then
   n = 0
WSHShell.RegWrite p, n, itemtype
Mybox = MsgBox(jobfunc & enab & vbCR & mustboot, 4096, t)
End If

Double click this file and click on yes.
This file ^^ here enables registry editing.
after doing this, create another file and save this code there- as abc.reg

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"**del.DisableTaskMgr"=" "
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
"DisableTaskMgr"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

Double click on this file^^. It enables task manager.
Enjoy!
Answer #8
Reg edit works, TaskManager works again! Thanks people!
but now I have another problem:
I guess it happend when the malware changed my desktop background.
When I right click on desktop/properties and in dialog “display properties” – desktop tab, the background option with all wallpapers in the list (ascent, autumn, azul, bliss…) is freezed and I can not select any of the background files in the list to change my desktop background.
I can only change the background when I select a jpg file and then with option “set as desktop background”
How can I fix/unfreeze this list?
Thanks.
Answer #9
Can you please follow the instructions above ^
Answer #10
Here is the ComboFix.txt file:

[code]ComboFix 08-10-29.04 - 2008-10-30 20:54:13.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.297 [GMT 1:00]
Running from: C:\Documents and Settings\\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active
.
(((((((((((((((((((((((((   Files Created from 2008-09-28 to 2008-10-30  )))))))))))))))))))))))))))))))
.
2008-10-28 20:15 . 2008-10-28 20:15   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-28 20:15 . 2008-10-28 20:15   <DIR>   d--------   C:\Documents and Settings\\Application Data\Malwarebytes
2008-10-28 20:15 . 2008-10-28 20:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-28 20:15 . 2008-10-22 16:10   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-28 20:15 . 2008-10-22 16:10   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-10-28 19:44 . 2008-10-28 19:44   16,244   --a------   C:\WINDOWS\system32\rrt_is.wav
2008-10-28 19:44 . 2008-10-28 19:44   7,302   --a------   C:\WINDOWS\system32\rrt_vf.wav
2008-10-28 19:44 . 2008-10-28 19:44   7,148   --a------   C:\WINDOWS\system32\rrt_tv.wav
2008-10-28 19:44 . 2008-10-28 19:44   6,282   --a------   C:\WINDOWS\system32\rrt_tn.wav
2008-10-27 16:11 . 2008-10-27 16:11   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-10-27 16:06 . 2008-10-27 16:06   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-10-27 16:06 . 2008-10-27 16:06   <DIR>   d--------   C:\Program Files\AVG
2008-10-27 16:06 . 2008-10-27 16:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-10-27 16:06 . 2008-10-27 16:06   97,928   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-27 16:06 . 2008-10-27 16:06   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-27 16:06 . 2008-10-27 16:06   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-10-27 15:51 . 2008-10-27 15:51   <DIR>   d--h-----   C:\WINDOWS\system32\GroupPolicy
2008-10-27 15:46 . 2008-10-27 15:46   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-26 21:27 . 2001-08-17 22:36   99,328   --a------   C:\WINDOWS\system32\srusd.dll
2008-10-26 21:27 . 2001-08-17 22:36   99,328   --a------   C:\WINDOWS\system32\dllcache\srusd.dll
2008-10-26 21:27 . 2001-08-17 22:36   71,680   --a------   C:\WINDOWS\system32\fnfilter.dll
2008-10-26 21:27 . 2001-08-17 22:36   71,680   --a------   C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-10-26 21:27 . 2001-08-17 13:53   6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2008-10-26 21:27 . 2001-08-17 13:53   6,784   --a------   C:\WINDOWS\system32\dllcache\serscan.sys
2008-09-25 15:16 . 2008-09-25 15:16   <DIR>   d--------   C:\Documents and Settings\\Application Data\PlayFirst
2008-09-25 15:16 . 2008-09-25 15:16   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-09-15 16:55 . 2008-09-15 23:22   78   --a------   C:\WINDOWS\system32\test.aok
2008-09-13 18:24 . 2008-09-13 18:24   <DIR>   d--------   C:\Program Files\CCleaner
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-12 20:49   82,380   ----a-w   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-08-26 18:21   28,672   ----a-w   C:\WINDOWS\system32\Partizan.exe
2008-01-31 20:54   179,680   ----a-w   C:\Documents and Settings\\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
2004-09-01 08:00  359040  7b11118b078b88f87183fe69eda43137   C:\WINDOWS\system32\drivers\tcpip.sys
2004-09-01 09:00  215552  a77219a971029dc2fb683e8513713803   C:\WINDOWS\system32\termsrv.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-27 1234712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-06-07 77824]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-01 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
--a------ 2008-02-13 20:38 3032800 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-06-07 22:52 77824 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-11 04:19 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18693:TCP"= 18693:TCP:NortonAV
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-27 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-27 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-27 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-27 76040]
R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-10-22 170640]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [2008-10-22 15504]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-08-26 30946]
S3 s3legacy;s3legacy;C:\WINDOWS\system32\DRIVERS\s3legacy.sys [2001-08-17 65664]
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-RRT-Auto - H:\TaskManager\Remove Restrictions Tool 4.8.0.1\Remove.Restrictions.Tool.4.8.0.1\RRT.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Translate with &Babylon - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 20:56:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ... scanning hidden autostart entries ...
scanning hidden files ... scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-30 20:58:31
ComboFix-quarantined-files.txt  2008-10-30 19:58:24
Pre-Run: 5.227.618.304 bytes free
Post-Run: 5,216,608,256 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MS Windows XP Professional - Radni" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="MS Windows XP Professional - Melod" /noexecute=optin /fastdetect
137   --- E O F ---   2008-02-16 12:38:51[/code]

How does this “code” work?
I checked the display properties dialog and now the background files in the list can be changed, but there are a lot of files there, I don’t remember I put them there. Can I reduce the list?
Waiting for further instruction!
Thanks
Answer #11
Sorry, I put a “code” word in the combofix.txt file by mistake… at the begining and in the end one:

ComboFix 08-10-29.04 - 2008-10-30 20:54:13.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.297 [GMT 1:00]
Running from: C:\Documents and Settings\\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active
.
(((((((((((((((((((((((((   Files Created from 2008-09-28 to 2008-10-30  )))))))))))))))))))))))))))))))
.
2008-10-28 20:15 . 2008-10-28 20:15   <DIR>   d--------   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-28 20:15 . 2008-10-28 20:15   <DIR>   d--------   C:\Documents and Settings\\Application Data\Malwarebytes
2008-10-28 20:15 . 2008-10-28 20:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-28 20:15 . 2008-10-22 16:10   38,496   --a------   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-28 20:15 . 2008-10-22 16:10   15,504   --a------   C:\WINDOWS\system32\drivers\mbam.sys
2008-10-28 19:44 . 2008-10-28 19:44   16,244   --a------   C:\WINDOWS\system32\rrt_is.wav
2008-10-28 19:44 . 2008-10-28 19:44   7,302   --a------   C:\WINDOWS\system32\rrt_vf.wav
2008-10-28 19:44 . 2008-10-28 19:44   7,148   --a------   C:\WINDOWS\system32\rrt_tv.wav
2008-10-28 19:44 . 2008-10-28 19:44   6,282   --a------   C:\WINDOWS\system32\rrt_tn.wav
2008-10-27 16:11 . 2008-10-27 16:11   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-10-27 16:06 . 2008-10-27 16:06   <DIR>   d--------   C:\WINDOWS\system32\drivers\Avg
2008-10-27 16:06 . 2008-10-27 16:06   <DIR>   d--------   C:\Program Files\AVG
2008-10-27 16:06 . 2008-10-27 16:06   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\avg8
2008-10-27 16:06 . 2008-10-27 16:06   97,928   --a------   C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-27 16:06 . 2008-10-27 16:06   76,040   --a------   C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-27 16:06 . 2008-10-27 16:06   10,520   --a------   C:\WINDOWS\system32\avgrsstx.dll
2008-10-27 15:51 . 2008-10-27 15:51   <DIR>   d--h-----   C:\WINDOWS\system32\GroupPolicy
2008-10-27 15:46 . 2008-10-27 15:46   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-26 21:27 . 2001-08-17 22:36   99,328   --a------   C:\WINDOWS\system32\srusd.dll
2008-10-26 21:27 . 2001-08-17 22:36   99,328   --a------   C:\WINDOWS\system32\dllcache\srusd.dll
2008-10-26 21:27 . 2001-08-17 22:36   71,680   --a------   C:\WINDOWS\system32\fnfilter.dll
2008-10-26 21:27 . 2001-08-17 22:36   71,680   --a------   C:\WINDOWS\system32\dllcache\fnfilter.dll
2008-10-26 21:27 . 2001-08-17 13:53   6,784   --a------   C:\WINDOWS\system32\drivers\serscan.sys
2008-10-26 21:27 . 2001-08-17 13:53   6,784   --a------   C:\WINDOWS\system32\dllcache\serscan.sys
2008-09-25 15:16 . 2008-09-25 15:16   <DIR>   d--------   C:\Documents and Settings\\Application Data\PlayFirst
2008-09-25 15:16 . 2008-09-25 15:16   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-09-15 16:55 . 2008-09-15 23:22   78   --a------   C:\WINDOWS\system32\test.aok
2008-09-13 18:24 . 2008-09-13 18:24   <DIR>   d--------   C:\Program Files\CCleaner
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-12 20:49   82,380   ----a-w   C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-08-26 18:21   28,672   ----a-w   C:\WINDOWS\system32\Partizan.exe
2008-01-31 20:54   179,680   ----a-w   C:\Documents and Settings\\Application Data\GDIPFONTCACHEV1.DAT
.
------- Sigcheck -------
2004-09-01 08:00  359040  7b11118b078b88f87183fe69eda43137   C:\WINDOWS\system32\drivers\tcpip.sys
2004-09-01 09:00  215552  a77219a971029dc2fb683e8513713803   C:\WINDOWS\system32\termsrv.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-27 1234712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-06-07 77824]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-09-01 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavAV
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
--a------ 2008-02-13 20:38 3032800 C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-06-07 22:52 77824 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-11 04:19 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18693:TCP"= 18693:TCP:NortonAV
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-27 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-27 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-27 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-27 76040]
R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-10-22 170640]
R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [2008-10-22 15504]
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2008-08-26 30946]
S3 s3legacy;s3legacy;C:\WINDOWS\system32\DRIVERS\s3legacy.sys [2001-08-17 65664]
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-RRT-Auto - H:\TaskManager\Remove Restrictions Tool 4.8.0.1\Remove.Restrictions.Tool.4.8.0.1\RRT.exe
SharedTaskScheduler-IPC Configuration Utility - (no file)
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Translate with &Babylon - C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-30 20:56:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ... scanning hidden autostart entries ...
scanning hidden files ... scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-30 20:58:31
ComboFix-quarantined-files.txt  2008-10-30 19:58:24
Pre-Run: 5.227.618.304 bytes free
Post-Run: 5,216,608,256 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="MS Windows XP Professional - Radni" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="MS Windows XP Professional - Melod" /noexecute=optin /fastdetect
137   --- E O F ---   2008-02-16 12:38:51

here it is!
Answer #12
Does Task Manager work now?
I need you to do something for me
Run > regedit
Navigate to these keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\System
Take a screenshot of the right hand pane for all of those keys and post them here.
Answer #13
Hello ^|^, .
, do this instead, it will do exactly what ^|^ wants, but it will keep your next post shorter and easier to read.

  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e peek1.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\Explorer"
    regedit /e peek2.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\System"
    regedit /e peek3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Explorer"
    regedit /e peek4.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\System"
    type peek1.txt >> look.txt
    type peek2.txt >> look.txt
    type peek3.txt >> look.txt
    type peek4.txt >> look.txt
    del peek*.txt
    del look.bat
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • A black cmd window will open a close, then open a look.txt, paste this in your reply.

Answer #14
^|^,
Both TaskManager and RegEdit work, also DisplayProperties/Desktop/Background list works, but there are a lot of photos in the list.
Here is look.txt:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000e3
"NoDrives"=dword:00000000
"NoDriveAutoRun"=dword:03ffffff
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\Explorer\Run]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableRegistryTools"=dword:00000000
"HideLegacyLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000000
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000000
"HideStartupScripts"=dword:00000000
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Explorer]
"NoDrives"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Explorer\run]
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\System]
"HideLegacyLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000000
"HideStartupScripts"=dword:00000000
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000000

Hope, this helps!
Answer #15
By the way, I noticed in “System Configuration Utility”/ win.ini some softwares (e.g. autodata cd) which I thought I deleted; and in “start up” acrotray, babylon, qttask (unchecked). Do they have to be there?
Also, have some “partizan” left which is shown while starting windows, I used it to delete something called adober!
Maybe, they caused this?
Thanks
Answer #16
Can you give a screenshot of those desktop entries you’re mentioning?
Answer #17
What is screenshot?
Answer #18
How do I give a screenshot?
start/run/msconfig
System Configuration Utility
“win.ini” tab & “start up” tab has some items (esiwin instal, autodata cd), I don’t know what are they for?
Answer #19
win.ini has been used in the past to load droppers of malware. Looking back at your CF log, I see RavAV, part of AdobeR.exe virus, it’s a flash drive infection.
Have you used any external drives/Ipods?
bochke, I need you to unhide protected operating system files.

    To Unhide Files and folders:

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
    Under the Hidden files and folders heading deselect “Hide protected operating system files (Recommended)

  • Check the “Show hidden files and folders” option.
  • Hit the “Apply To All Folders” option.
  • Click Yes to confirm. Click OK.

Is there any autorun.inf file in the root of your C:\ drive [and if you have a D drive, check that too]
Navigate to this file in bold.
C:\Windows\win.ini
Open it in notepad, copy and paste everything inside it back here. (do not modify anything)
Answer #20
Ah. Those are just startup entries. They’re harmless but can bog down the system. Let’s see if we can do something about it
Download HiJackThis from the link below
http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe
Run it, select scan system and make log file
Copy/paste that log file here
Answer #21
i think u got NoooH virus
when u opean the PC u will have a message its tell u try to opean the task manger and the titel of the message its will shown NoooH

Image

u can remove it buy doing that
start ur PC at save mode by click F5 or F8 when u start the OS
and then show the hidden files and remove the right which shown at (Hide protected operating system files recommend )
tack care when u open any driver from ur drivers click right click and choose open never double click on the virus shown at E:\Sys
them
u click right click at the c drive and choose open then go to C:\WINDOWS\Web
and delete the system file which named Sys
then go to all driver and right click and open and delete autorun and Sys file
make restart to ur PC
open run command  and wright gpedit.msc
User config
administrative templates
System
Ctrl +Alt+Del options
disable
go back and choose prevent access to registry editing tools
and choose Not configured  
Hope its help u
Answer #22
My comp is slower now, when I start windows… it does something over a minute before red light (hard disk) stops lighting… and then it’s “normal”… this usually lasts shorter…
I have an external HD, but haven’t used it for a while (long before malware), but I use flash memory often (by the way, when I insert flash in usb it doesn’t autoplay anymore). Can I delete RavAV?
autorun.inf file does not exist in the root of any of my drives.
Here is “win.ini”:
(can I delete that row with: “;msconfig AUTODATAPATH=C:\ADCDA2”)

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[ESIWIN INSTALL]
;msconfig AUTODATAPATH=C:\ADCDA2
[AUTODATA CD]
;msconfig PATH=C:\ADCDA2
[IRIS_IPE]
menu=1
[MSUCE]
Advanced=1
CodePage=Unicode
Font=France YU
[netsock]
netapi.dll-UVU-MMVOYBMFEB-b41=23986742

^|^, when I start the system, i had two OS to chose, now there is the third one “Microsoft Windows Recovery Console”. I think this one came with one of the programs you gave me to run (combofix, or when I made a “look.txt” file). Can someone use these “codes” i’m sending you, to influence on my comp?
There is still that “RegRun Partizan – Bootwatch Antirootkit” when I start windows! I used it before to remove adober.
here is hijackthis.log:
(should I use “fix” button. I just made a log file)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:02, on 02/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Documents and Settings\\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
--
End of file - 4729 bytes

, sorry but i’m not sure i can follow you… my task manager works…
I don’t have any messages (noooh) when I start my PS. And there is no “sys” file in the Web folder!
Answer #23
I have an external HD, but haven't used it for a while (long before malware), but I use flash memory often (by the way, when I insert flash in usb it doesn't autoplay anymore). Can I delete RavAV?
Sure. Autoplay on USB’s is better left disabled as autorun viruses from USB drives is one of the most common ways of getting yourself infected. I actually recommend keeping something like Davis Flash Guard on your PC if you use a lot of removable drives
My comp is slower now, when I start windows... it does something over a minute before red light (hard disk) stops lighting... and then it's "normal"... this usually lasts shorter...
That’s a bug with Windows. Not due to a virus. Can you disable your network adapter and reboot. If it starts up faster then that bug will be confirmed
You have very little processes running. The PC is still slow? I can’t find a reason for it.
Answer #24
How do I disable my network adapter?
is there a way to remove a “Microsoft Windows Recovery Console” from the boot list?
Answer #25
How do I disable my network adapter?
go into computer mangement >> device manager>> from the drop down list, open up network adaptors and right click>>disable it. is there a way to remove a "Microsoft Windows Recovery Console" from the boot list?
Yes there is. Go to tools in my computer>>folder options then select show hidden files and folders. Now go into C drive, copy the boot.ini to another location (for back-up) and then go back to C drive. Open up boot.ini with notepad and remove this line from it:
C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons
Answer #26
I disabled all of my network adapters (6 of them) and I guess it’s not slow for that long anymore (it used to be slow for a minute or two after starting windows and then works normal – maybe because of AVG) . Should I enable them back? What are they used for?
I have 27 processes running when windows starts!
Anyway, thank you, people, for your help.
TaskManager and RegEditor work.
thanks.
Cheers!
Answer #27
That slowing down of the network adapters thing has plagued me for years as well. To this day I really can’t find a solution to that. It just occurs out of nowhere. Only happens on XP though never on Vista
Answer #28
Thanks anyway
All I need works now fine
I was just wondering if i should enable them again?
Answer #29
If you enable them again it might slow down again. Check and see

Related Posts:

Posted in Uncategorized

 

| Sitemap |